SUN REF: P6471US 
WHAT IS CLAIMED IS: 

1 . A portable storage device containing network identification information for a 
processing unit that is connectable to a data communications network and 
includes a device reader for reading the portable storage device, the portable 
5 storage device comprising storage and an access controller, the storage holding 

a network identity for the processing unit and at least one encryption key, and 
the access controller being operable to control access to the storage by 
implementing key-key encryption. 

10 2. The portable storage device of claim 1, comprising at least one secure storage 
portion accessible only under the control of the access controller. 

3. The portable storage device of claim 2, wherein said at least one encryption 
key is held in said secure storage portion. 

15 

4. The portable storage device of claim 2, wherein at least one network security 
encryption key is held in said secure storage portion. 

5. The portable storage device of claim 2, wherein a file is configured in said 
20 secure storage portion. 

6. The portable storage device of claim 2, wherein one or more files containing 
information are configured in respective secure storage portions. 

25 7. The portable storage device of claim 2, wherein the access controller is 
operable to perform key-key verification of a request encrypted by a request 
key supplied from the processing unit and, in response to the request key 
verifying correctly, to return to the processing unit an access key derived from 
said at least one encryption key to permit access to the secure storage portion. 
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8. The portable storage device of claim 7, wherein the access controller is 
subsequently operable to respond to a command from the processing unit that 
is encrypted using the access key to access the secure storage portion. 

5 

9. The portable storage device of claim 2, wherein the storage in the portable 
storage device comprises random access memory, the secure storage 
comprising a part of the random access memory. 

10 10. The portable storage device of claim 1 ? wherein the access controller is a 
programmed microcontroller. 

1 1 . The portable storage device of claim 1 , wherein the portable storage device is 
a smart card. 

15 

12. The processing unit of claim 1, wherein the network identity comprises a 
MAC address. 

13. A processing unit connectable to a data communications network, the 
20 processing unit having a device reader for a portable storage device that 

includes storage and an access controller, the storage holding a network 
identity for the processing unit and at least one encryption key, and the access 
controller controlling access to the storage by implementing key-key 
encryption, the processing unit being operable to access a secure portion of the 
25 storage of the portable storage device by supplying a key-encrypted request to 

the access controller, and, in response to receipt of an access key from the 
access controller, being operable to send an encrypted command to access the 
content of the storage of the portable storage device. 
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14. The processing unit of claim 13, wherein, in response to the return of an access 
key, the processing unit is operable to use the access key to encrypt a 
command for access to a secure storage in the portable storage device. 

5 15. The processing unit of claim 13, wherein the portable storage device is a smart 
card, the access controller is a microcontroller and the device reader is a smart 
card reader. 



16. The processing unit of claim 13, wherein the network identity comprises a 
10 MAC address. 



17. The processing unit of claim 13, comprising a service processor, the service 
processor being programmed to control reading of the portable storage device. 

15 18. The processing unit of claim 17, wherein the service processor is a 
microcontroller. 



19. The processing unit of claim 13, wherein the processing unit is a computer 
server, 

20 

20. The processing unit of claim 13, wherein the processing unit is a rack 
mountable computer server. 



21. A control program for a processing unit connectable to a data communications 
25 network, the processing unit having a device reader for a portable storage 

device that includes storage and an access controller, the storage holding a 
network identity for the processing unit and at least one encryption key, and 
the access controller controlling access to the storage by implementing key-key 
encryption, the control program being operable to access a secure portion of 
30 the storage of the portable storage device by supplying a key-encrypted request 
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to the access controller, and, in response to receipt of an access key from the 
access controller, being operable to send an encrypted command to access the 
content of the storage of the portable storage device. 

22. The control program of claim 21, wherein, in response to the return of an 
access key, the control program is operable to use the access key to encrypt a 
command for access to secure storage in the portable storage device. 

23. The control program of claim 21, wherein the portable storage device is a 
smart card, the access controller is a microcontroller and the device reader is a 
smart card reader. 

24. The control program of claim 21, wherein the network identity comprises a 
MAC address. 

25. The control program of claim 21, comprising a service processor, the service 
processor being programmed to control reading of the portable storage device. 

26. The control program of claim 21 on a carrier medium. 

27. The control program of claim 21, wherein the processing unit comprises a 
service processor, the control program controlling operation of the service 
processor. 

28. The control program of claim 27, wherein the service processor is a 
microcontroller. 

29. A microcontroller comprising a control program as recited in claim 21. 
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30. A server computer comprising a device reader for reading a portable storage, a 
processor, memory and a microcontroller as recited in claim 29, the 
microcontroller being operable as a service processor and connected to read 
the content of storage in a portable storage device mounted in the portable 

5 storage device. 

31. A method securing encryption keys for use in a processing unit connectable to 
a data communications network, the method comprising: 

- providing a portable storage device for a processing unit that is connectable 
10 to the data communications network and includes a device reader for 

reading the portable storage device, which portable storage device 
comprises storage and an access controller; 

- providing in the storage a network identity for the processing unit and at 
least one encryption key; and 

15 - implementing key-key encryption in the access controller for controlling 

access to the storage . 

32. The method of claim 31, comprising defining at least part of the storage in the 
portable storage device as secure storage accessible only under the control of 

20 the access controller. 

33. The method of claim 32, comprising storing said at least one encryption key in 
said secure storage. 

25 34. The method of claim 32, comprising storing at least one network security 
encryption key in said secure storage. 

35. The method of claim 3 1 , comprising: 

- the processing unit supplying a key-encrypted request to the access 
30 controller; 
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- the access controller providing key-key verification of the request key 
supplied from the processing unit; and 

in response to the key-encrypted request verifying correctly; 

- returning to the processing unit an access key to permit access to the secure 
5 storage; 

- the processing unit encrypting a command using the access key to access 
the secure storage; and 

- the access controller responding to the first command to access the first 
storage. 

0 

36. The method of claim 31, wherein the network identity comprises a MAC 
address. 
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